Reputation: 2011
monitor which process modified a file under FreeBSD/Linux
From time to time, a file that I'm interested in is modified by some process. I need to find out which process is modifying this file. Using lsof will not work, nor does kqueue. Is this possible under FreeBSD and Linux?
Upvotes: 2
Views: 4158
Answers (4)
Reputation: 12641
Linux has an audit daemon http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
See also auditd homepage
Upvotes: 1
Reputation: 3609
On FreeBSD, perhaps it should be best if you check its auditing features.
Upvotes: 1
Reputation: 5180
You can see which processes opened a file just installing and using lsof (LiSt Open Files) command.
Upvotes: 0
Reputation: 2696
On Linux, there's a kernel patch floating around for inotify. However, some have said this is rarely useful and that it can be a security risk. In any case, here's the patch.
Apart from that, I'm not sure there's any way to get the PID, either with inotify or dnotify. You could investigate further (e.g. search for pid dnotify or pid inotify), but I believe it isn't likely.
Upvotes: 2
Related Questions
- Linux - How to track all files accessed by a process?
- how to know which processes accessed a file?
- Monitoring file changes in C++ on Linux
- Find all changes in filesystem done by a process in Linux/Mac?
- How to monitor a file to find out which process will write or delete it in the future
- How to get files modified by certain process in Linux
- Is it possible to identify what process is changing a file with FileSystemWatcher?
- How to track file creation and modification
- how to find what processes have written to a file on Linux
- Determine files modified by process